The previous article published on this platform dealt with how the US elections are at threat of being disrupted via the use of ransomware. A core element of Recorded Future’s research into the matter centered on the increased use of Remote Desktop Protocol (RDP) and Citrix tools used by staff forced to work from home during the COVID-19 pandemic. This has resulted in an increased attack vector for ransomware gangs to exploit. Recent research published by Coveware paints another picture. Rather than the potential threat, Coveware’s research is based firmly in reality and deals with the current ransomware marketplace. The research was conducted over the second quarter of 2020 and revealed several worrying states for enterprises no matter their size, primary of which is that demands have increased 60% over the previous quarter.
Coveware releases these reports quarterly and they provide helpful insight into the realities dealt with those tasked to defend networks. One of the interesting insights provided concerns the market share across various ransomware operators. In the first quarter, this metric was dominated by the big game ransomware operators like Sodinokibi and Ryuk. In Q1 nearly 60% of confirmed attacks were carried out by the three biggest names in ransomware at the time. In Q2 this number dropped to 30% due to smaller and often less skilled operators increasing activity. The second quarter showed a greater market share was carved out by smaller, more opportunistic, ransomware operators.
Researchers contribute this to the increased availability of relatively cheap ransomware-as-a-service (RaaS) kits that can be deployed by hackers of a lower skill set. Further, the increased use of RaaS kits could be attributed to financially stressed individuals, further stressed, by the coronavirus pandemic, turning to cybercrime as a means to relieve financial pressure. This is mirrored in instances where RaaS kits are used to target the softest targets that do not have the resources needed to defend against these attacks, resources again could be spread due to the global pandemic.
All of which have contributed to the steep rise in ransom demands mentioned above. According to Coveware,
“The average ransom payment in Q2 was $178,254, a 60% leap from the $111,605 average in Q1. Average ransom payments climbed steadily since 2018, which coincided with the arrival of the first “big game hunting” ransomware variants, BitPaymer and Ryuk. Prior to big game tactics, the ransomware sphere was dominated by opportunistic spray-and-pray threat actors who rarely exercised victim profiling and issued nominal demands that remained constant whether the victim was a 10-person company or a 1,000 person enterprise.”
Spear phishing and RDP Attack Vectors Increase
The report also notes that spear phishing and RDP based attacks increased over the previous quarter. In particular, the increased use of RDP vulnerabilities to gain a foothold on the victim’s network rose sharply due to being used to target small to medium enterprises. This again had much to do with the increased use of RaaS kits RDP compromise tends to be the favored method of compromise. This is mainly due to spear phishing and malware been delivered via this method of attack requiring more skill to execute efficiently. According to the report, the increase in RDP exploits rose by 41%. Other security firms have also noted the spike in RDP usage, with Emisoft noting that the use of RDP exploits as an attack vector is the “single biggest” in terms of ransomware infections.
It would be too easy perhaps to attribute this rise to the increased work from home scenario many of us find ourselves in. However, the reality is likely far different. The use of RDP flaws became a must know for ransomware gangs looking to target large corporate networks for even a larger payday. Since last year attacks on RDP connections skyrocketed due to these gangs seeing it as the easier way to compromise a network. Other malware gangs and hackers must surely have taken notice.
It would seem that most have indeed taken notice as a subsect of hackers has developed that specifically scans for vulnerable RDP connections. Once discovered they can sell the details onto another gang or choose to compromise the vulnerable network themselves. As a result, so-called “RDP Shops” have emerged on underground hacking forums selling usernames and passwords for these vulnerable networks. These shops have seen regular interaction with ransomware gangs and partnerships flourished between the two. The ransomware gangs had to ability to profit from the information the RDP hackers had, the perfect business partnership.
This partnership has evolved to the point where some RDP hackers have closed shop to become partners with certain ransomware operations. Some even become affiliates. The gang that distributes and profits from the Maze ransomware strain was quick to use this reality to their advantage and almost exclusively target large corporations. Coveware noted,
“…the Maze group scaled their organization dramatically during Q2. As an organization, Maze increased the volume and size of attacks along with the size and complexity of its affiliates. The definition of a ransomware ‘affiliate’ is no longer limited to a distributor that carries out attacks. Maze currently relies on a host of other specialists to carry out and extort their victims. The specialists include people skilled in TOR cloud bulletproof hosting, cloud data storage and migration, front end web development, and facilitating negotiations. All of these are separate skill sets, and Maze uses a network of different people in each of these groups to run their organization.”
VPNs Increasingly Targeted
While RDPs have increasingly been favored by many attackers as a primary attack vector, 2020 will be remembered for Virtual Private Networks (VPN) been targeted by ransomware gangs. In a separate report published by SenseCy, the top four vulnerabilities targeted by ransomware gangs was illuminated upon. These vulnerabilities are all publically known and have received CVE numbers. Of the four the two abused the most in 2020, according to their research, pertained to VPNs. The first is CVE-2019-19781 which has been abused by Sodinokibi, Ragnarok, DoppelPaymer, Maze, CLOP, and Nephilim.
The vulnerability impacts Citrix products and successful exploitation allows an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer. In June 2020, it was reported that the IT services giant, Conduent, had also fallen victim to a Maze gang ransomware attack. According to reports online, MAZE targeted a Citrix server of the company that was not patched or properly updated. On June 22, 2020, it was reported that the Indian conglomerate, Indiabulls, had suffered a cyber-attack carried out by the CLOP ransomware operators. Cybersecurity company Bad Packets reported that Indiabulls used Citrix NetScaler ADC VPN Gateway, which was vulnerable to CVE 2019-19781.
The second vulnerability, CVE-2019-11510 impacted Pulse Secure products in particular VPN offerings and allows the successful attacker to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. This abuse seems to be a particular favorite of Sodinokibi and has been seen abused in a number of cases involving the ransomware. This includes two incidents that involved the attackers gaining domain admin privileges and using an open-source remote access software, VNC, to perform lateral movement on the targeted network. Then, the attackers turned off security software and infected the system with the Sodinokibi ransomware strain. The most notable attack exploiting this vulnerability involved Travelex, in summary, the company did not patch their VPN software which in turn allowed Sodinokibi to successfully encrypt large portions of data on the network paralyzing company operations for two weeks.
Just as with the abuse of RDP connections and illicit trade that grew around this, it would be of no surprise if “VPN Shops” began sprouting. This would then be followed by partnerships and skilled hackers working for ransomware gangs exclusively just to compromise VPNs. The unfortunate reality is that in the large majority of RDP and VPN attacks they can be prevented by applying patches released by their manufacturers. Both of the vulnerabilities mentioned above had patches released but yet they still are being used to compromise networks which will ultimately yield to data encryption and a massive loss of earnings for the victims. This is the case despite numerous warnings by security researchers and government officials. Perhaps, the time for pity when someone becomes a victim this way is well and truly over.